The current versions of the popular ad server software OpenX Source (2.8.11) and Revive Adserver (3.0.1) are vulnerable a sql injection attack which allows attackers to gain backend access. The vulnerability is actively being exploited.

The OpenX team has been informed. For Revive, I submitted a pull request with a fix.

I recommend applying the patches immediately, since the vulnerability is actively being exploited and has been for some time now.

Update 19.12.: The revive team confirmed the vulnerability and is working on a fixed version.Update 20.12.: The Revive team released Revive Adserver 3.0.2 which fixes the vulnerability. If possible, I recommend to update to this version as soon as possible (including users of OpenX). Thanks a lot to the team for the quick reaction!
The Revive team also suggest a quicker temporary fix for people who cannot update right away: Remove “www/delivery/axmlrpc.php” if you do not need xmlrpc delivery (most setups use different delivery methods).Update 3.2.2014: Removing axmlrpc.php alone does not seem to be enough to fully protect an installation. dxmlrpc.php should be removed as well. Many thanks to Péter Veres for the discovery!

By the way

If you are managing an OpenX Source or Revive Adserver installation, take a look at the OpenX Maintenance Checklist or Revive Adserver Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX/Revive checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).

Users of OpenX should apply this fix immediately even if only trusted parties have access to the installation. The vulnerability is used in conjunction with other vulnerabilities to gain system access through highjacked accounts.

Revive Adserver (a fork of OpenX source) is vulnerable as well. I have submitted a pull request. Update: The Revive team confirmed the issue and accepted my patch on the same day.

By the way

If you are managing an OpenX ad server installation, take a look at the OpenX Maintenance Checklist. It helps you keeping track of frequent maintenance tasks and security checks. If you sign up for an account at Checkpanel (not required) you can easily manage this checklist. You can see when you last checked each item, set reminders, work in teams and more. Checkpanel is not limited to OpenX checklists – it helps you managing all kinds of recurring tasks (see some other samples and features).

There is a critical security flaw in OpenX 2.8.6 (and 2.8.5 and probably several earlier versions) which allows attackers to gain control of the webserver account and thus the adserver. The security hole is being actively exploited in the wild (as I learned the hard way). It seems that this hole is only known to attackers (in the OpenX context) at the moment, since I was not able to find any warning or other reference to it.

The problem lies in the following file:

/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

The file ships with the video plugin. It is a component of Open Flash Chart 2 which is already known to be vulnerable. Basically, it allows an attacker to upload any file to the server including executables. This way, the attacker uploads a php backdoor and gains full access to the webserver account. From there he can (amongst other things) take control over the OpenX installation.

In our case, the attacker created a new admin user in the OpenX database called “root”. Interestingly, this user was not shown anywhere in the user accounts. But it did show up in the user log when he appended the following malicious script to one of our ad zones:

Interestingly, this vulnerability is also still present in the latest version of Open Flash Chart 2. It wouldn’t be hard to fix, but seemingly noone bothered to release a fix, yet. Me neither, since I do not need this component. A simple workaround is to delete ofc_upload_image.php. The core features of OpenX should not be affected since this file seems to be connected to reports of the video plugin and might even be unused (since it is part of a whole library). Alternatively, access to the file can be restricted via htaccess to trusted users.

I highly recommend to do this immediately, since this vulnerability is being actively exploited.

Also check for signs of a already installed backdoor. In our case, the attacker closed the vulnerability himself (presumably so that noone else can take control over his loot), so take a look at the file before deleting it and compare it with the one that ships with OpenX. If it has been edited, you probably have already been hacked and a backdoor is installed.

What to do once the server has been hacked (Update 11.9.2010)

If you think your server has been compromised, you need to make sure that you get rid of all backdoors that might have been hidden in your system. Finding a backdoor in a compromised OpenX is tricky at best, so better get rid of the original installation completely.

Re-install OpenX and apply the fix mentioned above. Do not keep any files of the old installation. Delete or archive everything that you did not install freshly from a trusted source.

Check your database. Take a look at the table ox_users and delete every entry that does not represent a trusted user. Check the prepend and append fields of all banners and zones. Remove suspicious code.

Change your passwords.

If you want to be absolutely sure, you would have to re-install the whole server because it might have been rooted. But if your server was configured savely and did not contain any vulnerabilities that can be exploited by local users, the chances of this are moderately low. Decide for yourself if you want to take this time consuming measure.